Controller and processor

Reveni's artificial intelligence assistant (hereinafter, the "Service") is technologically provided by Reveni S.L. (tax ID B09662453, Madrid, Spain; hereinafter, "Reveni") and is integrated into the websites of associated e-commerce merchants (hereinafter, the "Merchant").

The Service is offered in a modular configuration: each Merchant may contract one or several of the following features, so the specific provisions of this Policy shall only apply to the User to the extent that the Merchant has enabled the corresponding feature.

Conversational assistant (chatbot): responds to queries about products, orders, returns, size guides and Merchant policies. Specific processing described in Section 4.1.

Virtual try-on: photo try-on and live try-on (camera) using generative AI models. Specific processing described in Section 4.2.

 Size recommendation: indicative estimate based on voluntarily provided data. Specific processing described in Section 4.3.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"):

 The Merchant acts as Data Controller of the personal data collected through its website.

 Reveni acts as Data Processor, processing data exclusively on behalf of the Merchant and in accordance with its instructions, under a data processing agreement (art. 28 GDPR).

Nevertheless, for the sake of transparency with the end user (the "User"), this Policy describes in detail how personal data is processed within the framework of the Service.

Personal data we collect

Data category Description Feature

Conversation content Text or voice messages exchanged between the User and the chatbot. Conversational chatbot

Identification data provided in the chat Data voluntarily provided by the User during the conversation, such as email, name, phone or order number. Conversational chatbot

Widget

interactions Actions taken by the User within the widget and context data such as language and page of origin. Contextualization and analytics

Response ratings Optional ratings and comments on the usefulness of a response. Improvement of Service quality

User photograph Full-body image voluntarily uploaded by the User. Photo try-on

Real-time camera capture Video stream captured by the camera of the User's device. Live try-on

Body

measurement data Sex, height and weight, voluntarily provided. Size recommendation

Resulting image/video AI-generated composition showing the User with the product. Try-on result

Data category Description Feature

Technical data Basic technical data such as IP address, browser and session identifier. Technical operation, security and abuse prevention

The User is not obliged to provide personal data in the conversation. When they voluntarily provide it (e.g. their email address or order number to check the status of a shipment), such data is processed only for the purposes described in this Policy. We recommend that the User not share sensitive information (health data, credentials, financial data, etc.) through the chat.

We do not collect biometric data. Photographs and camera captures are used exclusively to generate the product visualization and are not processed for biometric identification, facial recognition or biometric profiling purposes.

We do not use chat content or User images to train AI models. Data is sent to AI model providers only in inference mode and under contractual agreements that expressly prohibit its use for training.

3. Purposes and legal basis of the processing

Purpose Legal basis (GDPR)

Responding to the User's queries through the chatbot (product information, orders, returns, Merchant policies, etc.). Performance of pre-contractual or contractual measures between the User and the Merchant (art. 6.1.b) and/or legitimate interest of the Merchant in providing customer service (art. 6.1.f).

Managing specific requests by the User through the chat (e.g. order status queries, initiating a return, contacting support). Performance of the contract between the User and the Merchant (art. 6.1.b).

Purpose Legal basis (GDPR)

Generating the product visualization over the User's image (photo or live video). Explicit consent of the User (art. 6.1.a).

Providing indicative size recommendation. Explicit consent of the User (art. 6.1.a).

Analyzing conversations on an aggregated basis to produce metrics and product insights for the Merchant (volume of queries, most frequent topics, satisfaction, friction detection). Legitimate interest of Reveni and the Merchant (art. 6.1.f). Insights shared with the Merchant are aggregated and do not allow re-identification of the User.

Improving Service quality through the analysis of response ratings and error debugging. Legitimate interest of Reveni (art. 6.1.f).

Ensuring the technical operation, security and prevention of abuse, fraud or improper use of the Service. Legitimate interest of Reveni and the Merchant (art. 6.1.f).

Compliance with applicable legal obligations. Compliance with a legal obligation (art.

6.1.c).

Consent for the virtual try-on and size recommendation features is obtained through the acceptance checkbox that the User must tick before using them. The User may withdraw their consent at any time, without affecting the lawfulness of processing prior to withdrawal.

Regarding the chatbot, the mere use of the widget implies the processing of the messages the User sends for the customer service purposes described. The User may stop using the chat at any time by closing the widget.

4. How we process the data

The following describes the specific processing by feature. Each section only applies to the User when the Merchant has enabled the corresponding feature.

4.1 Conversational assistant (chatbot)

Messages sent through the widget are transmitted encrypted to Reveni and processed by a language model using the context authorized by the Merchant (catalog, size guides, policies) to generate the response. Where needed, the Service may consult the Merchant's systems to retrieve specific order information using the minimum necessary data.

Conversations are retained for the purposes and periods indicated in Sections 3 and 5.

4.2 Virtual try-on

The Virtual Try-on is offered in two modalities: photo try-on and live try-on.

Photo try-on: the photograph uploaded by the User is processed by a generative AI model together with the product image to produce the resulting image. Both the original photograph and the resulting image are automatically deleted within a maximum of 24 hours.

Live try-on: the video stream is processed in real time via encrypted connection to overlay the product on the User's image. No frame or recording is stored on our servers; processing is exclusively in transit. Should the User choose to save a recording, it is stored exclusively on their local device.

4.3 Size recommendation (body measurement data)

Sex, height and weight data are processed exclusively in memory to calculate the size recommendation and are not stored persistently on our servers.

5. Data retention

Data Retention period

Conversation content (User's messages and chatbot responses) Up to 12 months from the last interaction, unless the Merchant requires a shorter period or a longer period is necessary to comply with legal obligations or handle claims.

Data Retention period

Data provided in the chat (email, name, phone, order number) Same period as the conversation content, unless the Merchant retains it in its own systems under its privacy policy.

Ratings and comments on responses Up to 24 months, associated with the conversation; subsequently retained in aggregated and anonymized form.

Aggregated insights and metrics for the Merchant No defined period, as they are anonymized data not traceable back to the User.

User photograph Automatically deleted within a maximum of 24 hours.

Live video stream Not stored; processing exclusively in transit.

Resulting image/video Automatically deleted within a maximum of 24 hours.

Body measurement data Only in memory during the session; not persisted.

Technical data (logs) Maximum 30 days, for security and debugging purposes.

Once the indicated periods have elapsed, data is irreversibly deleted or anonymized. The Merchant, in its capacity as Data Controller, may establish shorter periods and request Reveni to carry out early deletion of data.

6. Sub-processors

To provide the Service, Reveni relies on specialized technology providers that act as sub-processors, including AI model providers, cloud infrastructure services and observability tools.

Reveni maintains data processing agreements with each sub-processor that guarantee a level of protection equivalent to that required by the GDPR and expressly prohibit the use of User data to train providers' own models.

The Merchant may request the updated list of sub-processors through the channel indicated in Section 14.

7. International data transfers

Some providers used to deliver the Service may be located outside the European

Economic Area. Such transfers are carried out with the safeguards established in Chapter V of the GDPR, including standard contractual clauses and, where appropriate, supplementary measures.

8. User rights

In accordance with the GDPR and the LOPDGDD, the User has the right to:

Right Description

Access Obtain confirmation as to whether their data is being processed and access it.

Rectification Request the correction of inaccurate or incomplete data.

Erasure Request the deletion of their data when no longer necessary, when consent is withdrawn, or when they object to the processing.

Restriction Request the restriction of processing under certain circumstances.

Portability Receive their data in a structured, commonly used format.

Objection Object to processing based on legitimate interest.

Withdrawal of consent Withdraw consent at any time, without affecting the lawfulness of prior processing.

Given that images are automatically deleted within a maximum of 24 hours and the live video stream is not stored, it is possible that, at the time of exercising certain rights over such data, it may no longer be held by Reveni. Chatbot conversations and data provided in the chat are available during the period indicated in Section 5 and may be subject to the rights described.

When the User directs a request to exercise rights directly to Reveni, Reveni will forward it to the Merchant in its capacity as Data Controller and will cooperate with the Merchant to respond. Alternatively, the User may contact the Merchant directly.

To exercise their rights, the User may contact:

Email: legal@reveni.io

Postal address: Reveni S.L., Madrid, Spain

Reveni will respond to requests within a maximum of one month from receipt, which may be extended by two additional months depending on the complexity or number of requests.

The User also has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), headquartered at C/ Jorge Juan, 6, 28001 Madrid (www.aepd.es).

9. Data security

Reveni applies appropriate technical and organizational measures to ensure the security, confidentiality and integrity of personal data. These include encryption in transit and at rest, segregation of each Merchant's data, role-based access control, automatic deletion of images after the session, and periodic security reviews.

10. Minors

The Service is not directed at minors under 16 years of age. We do not knowingly collect personal data from minors. If Reveni becomes aware that data of a minor under 16 has been collected without the verifiable consent of their father, mother or legal guardian, it will proceed to delete it immediately.

11. Cookies and similar technologies

The Service widget does not install tracking cookies on the User's device. The browser's local storage is used only to maintain session continuity and remember widget preferences during the User's session, and is deleted when the widget session is closed or when browsing data is cleared.

The cookies on the Merchant's website are governed by the cookie policy of that Merchant.

12. Automated decisions

The Service uses AI models to generate chatbot responses, virtual try-on visualizations and, where applicable, the size recommendation. These automated decisions are exclusively indicative in nature and do not produce legal effects on the

User nor similarly significantly affect them, within the meaning of Article 22 of the GDPR. The User may, at any time, request human assistance by contacting the Merchant through the usual customer service channels.

13. Changes to this Policy

Reveni reserves the right to update this Privacy Policy. Modifications shall enter into force upon publication. Users are advised to review it periodically.

14. Data Protection Officer contact

For any matter relating to the protection of personal data in the context of the Service, the User may contact Reveni's Data Protection Officer at:

 Email: legal@reveni.io

Reveni S.L. — Tax ID B09662453 — Madrid, Spain

This document is informational in nature and is recommended to be reviewed by a legal professional prior to publication.

Last update: April 2026